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DISCLAIMER: 



The concepts and matters presented are those 
of the author and do not necessarily represent 
those of auDajts Board or the auDa-SSaC. 



The Naming of sites is a difficult matter, 
It isn't just one of your holiday games; 
You may think at first I'm as mad as a hatter ' 

When I tell you, a site must have THREE DIFFERENT NAMES 

— ^^y 7 (at least) . 




Domain 



Apologies to 
T. S. Eliot 



Access / type 



DNS 



Domain Name System! 



The base for 

"cloud computing" 

and 

"web services" 

BUT 

never designed with security in mind ! 




Directive for ICANN SSAC 
- November 2001. 



System is currently online. 



upenDNS 
System 




Last 30 Days 

Date 

Mar 1, 2011 
Feb 28, 2011 
Feb 27, 2011 
Feb 25, 2011 
Feb 25, 2011 
Feb 24, 2011 
Feb 23, 2011 
Feb 22, 2011 
Feb 21. 2011 



DNSSEC finally goes mainstream 

1 April 2011. 



For example, half the security experts 
quizzed in a recent survey by internet 
security firm IID (Internet Identity) admitted 

they either knew nothing about DNSSEC or 
only had limited familiarity with the 
protocol. m ' 



Source URLs: 



http://www.theregister.co.uk/2011/04/01/dnssec com goes live/ 
http://www.internetidentitv.com/ 



VERISIGN 



.com TLD Signed 



31 March 2011 



Gartner Research Director, Lawrence Orans : 

"The importance of DNSSEC in solving issues of trust 
on the Internet has reached a tipping point with the 
signing of .com - one of the most significant 
milestones in the history of DNSSEC to date. 
However, there is still more work to be done and the 
effective deployment of DNSSEC requires 
collaboration from all parties in the Internet 
ecosystem. " 



Source URL: http://www.verisignincxom/en_US/news-events/press-room/index.xhtml 




TRANSITIONS 
PSTN: 



1881 - First Telephone Exchange - New Haven, Connecticut 
1891 - Strowger stepper switch (automation) 

Uniselector - Cross-bar 
-1972 - 1ST model digital exchange (Telecom Research Labs) 
1979 - Digital exchanges 




PACKET: 



1969- IMP (BBN-ARPA) 
1 970 - Mark 1 (UK - NPL - Davies) 
-1974 - Xerox Pare universal packet switch 
1 980s - AustPAC (Telecom/Telstra) - X.25 
1 984 - Cisco 
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Trusted (understood?) switching 
Call tracing 
Emergency services 



• s 



TRUST 




NC400 crossbar exchange 
'60 Unit Trouble Recorder'. 
Fault records and '111' emergency 
call trace records printer 
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Melbourne Exchange 1887 

(Melbourne Telephone 
Exchange Company 
established a 100 line 
exchange in Melbourne 
in 1882.) 



Yellow Pages 
(Classified Directory) 

Reuben H Donnelly. 
Chicago. 1886 
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White Pages. 

February 21, 1878. 
First "White Pages" for 
subscribers in New Haven, 
Connecticut, USA 



Yellow 



K 




Melbourne Excr [3 [J ^^\A/^^ C E3 

(Melbourne Telep D || ^^ V V ^^ ^h It 

Exchange Comp 

estahiichoH 9 1 nn lino _. .u™ jbers jn n 6W Haveri) 

e> ^^ ■— A 1-^ ^N I I 'Cticut, USA 



SEARCH 
ENGINE 
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REGISTRAR 
ISP++RESOLVER 

BROWSER 



SEARCH ENGINE 
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Trusting your connection ! 
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-s BLOG PHOTOS & VIDEO BRIEFING ROOM ISSUES 
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July 22, 2010 

' ( 

• significant advance in the security of the Internet 

• new security upgrade protect against an important online 

vulnerability: 

• clandestine redirecting of online communications to 

unwanted destinations 

• Domain Name System Security Extensions (DNSSEC) 

orotocol 

• helps ensure that when computers want to communicate 

with one another they don't get tricked into talking to 
digital imposters instead. 

(Digital signatures) 13 








THE flUTT^AI.IAh DOMAIN NAME An MINI ORATOR 




33 open registrars (2 provisional) (April 201 1 ) 

• Note - .gov.au: Contracted to NetRegistry (No .mil 2Tld) 

1 closed registrar 

•.edu.au: Education Services Australia 




TLD DNSSEC Reoort (2011-05-06^ 



Venn Diagran 



ICANN 

Research 




Trust anchors in the Root Zone 
Trust anchors in ISC's DLV 



D Signed? PS in Root? ISC DLV? 

NO NO NO 

YES YES NO 



Note: New "open" TLDs- 2011? 



Summarv 



310 TLDs in the 
root zone in total 

* 72 TLDs are 
signed; 

* 69 TLDs have 
trust anchors 
published as DS 
records in the 
root zone; 

* 4 TLDs have trust 
anchors 
published in the 
ISC DLV 
Repository. 



8 March 2011 




VERISIGN" LABS 



dbuUu.yuv.au 



Analyzing DNSSEC problems for dbcde.gov.au 





© Found 2 DNSKEY records for. 

© DS=i9036/shai verifies DNSKEY=i9036/sep 

© Found 1 RRSIGs over DNSKEY RRset 

© RRSIG=19036 and DNSKEY=i9036;sep verifies the DNSKEY RRset 


au 


O No DS records found for au in the . zone 
© No DNSKEY records found 


gov.au 


© No DS records found for gov.au in the au zone 
© No DNSKEY records found 


dbccie.gov.au 


© No DS records found for dbcde.gov.au in the gov.au zone 
© No DNSKEY records found 
i dbcde.gov.au A RR has value 203.9.222.199 
© No RRSIGs found 



Move your mouse over any © or/'N symbols for remediation hints. 
Want a second opinion? Test dbcde.gov.au at dnsviz.net . 
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VERISIGN LABS 



rnit.gQv.in 



Analyzing DNSSEC problems for mit.gov.in 





© Found 2 DNSKEY records for . 

© DS=i9036)shai verifies DNSKEY=i9036/sep 

© Found 1 RRSIGs over DNSKEY RRset 

© RRSIG=19036 and DNSKEY=i9036>sep verifies the DNSKEY RRset 


in 


© Found 2 DS records for in in the . zone 
© Found 1 RRSIGs over DS RRset 

i RRSIG=21639 and DNSKEY=21639 verifies the DS RRset 
© Found 4 DNSKEY records for in 

© DS=64788)SHA1 Verifies DNSKEY=64788>SEP 

© Found 2 RRSIGs over DNSKEY RRset 
i RRSIG=3204 and DNSKEY=3204 verifies the DNSKEY RRset 


gov. in 


© No DS records found for gov. in in the in zone 
© No DNSKEY records found 


mit.gov.in 


© No DS records found for mit.gov.in in the gov. in zone 
© No DNSKEY records found 

> mit.gov.in A RR has value 164.100.56.222 
© No RRSIGs found 



Move your mouse over any© or A. symbols for remediation hints. 
Want a second opinion? Test mit.gov.in at dnsviz.net . 
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VERISIGN LABS 



Analyzing DNSSEC problems for dot.gov. in 





© Tound 2 DNSKEY records for . 

© DS=i9036>shai verifies DNSKEY=i9036>sep 

© Found 1 RRSIGs over DNSKEY RRset 

© RRSIG=19036 and DNSKEY=i9036>sep verifies the DNSKEY RRset 


in 


© Found 2 DS records for in in the . zone 
© Found 1 RRSIGs over DS RRset 

> RRSIG=21639 and DNSKEY=21639 verifies the DS RRset 
© Found 4 DNSKEY records for in 

© DS=64733>SHA256 Verifies DNSKEY=64788>SEP 

© Found 2 RRSIGs over DNSKEY RRset 

> RRSIG=3204 and DNSKEY=3204 verifies the DNSKEY RRset 


gov. in 


© No DS records found for gov. in in the in zone 
© No DNSKEY records found 


dot. gov. in 


© No DS records found for dot. gov. in in the gov. in zono 

© No DNSKEY records found 

© dot. gov. in A RR has value 1 64.1 00.52.44 

© No RRSIGs found 



Move your mouse over any© or A- symbols for remediation hints. 
Want a second opinion? Test dot. gov. in at dnsviz.net . 



DNSSEC Standards: 



3 "Core" RFCs, March 2005: 

RFC 4033 - 

DNS Securitv Introduction and Reauirements 



RFC 4034 - 

Resource Records for the DNS Securitv Extensions 



RFC 4035 - 

Protocol Modifications for the DNS Securitv Extensions 



+ 36 associated RFCs ? 









































21 




Key generation - KSK/ZSKs - technology/policy - FIPS 140-2 

• HSMs vs software ? 

Technology / policy for crypto/hash algorithms 

• e.g. Elliptic curve(s), RSA key length, SHA256, etc. 
Performance questions - bandwidth 

Trusted system environment (OS, access control, etc.) 
Incompatibilities - large message size for resolvers, etc. 

• Firewall interactions 
DNSSEC /BGP /NAT interaction 

• Note: Mobile & wireless 



TECHNO / PUBLIC POLICY INTERACTION 



CAs, ISPs and DNS / DNSSEC 
• DNSSEC key hierarchy (NOT certificate based) 



International /global DNS (e.g. OpenDNS, etc) 
• National vs International crypto policy/law 
• e.g. Turkey (crypto usage?) 

'Filters" at DNSSEC level? 




Changing registrars (effective lock-in ?) 



DNSSEC ± PKI 
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UNITED STATES DEPARTMENT OF COMMERCE 



SUMMARY (1): I Website 

http://www.dnssec-validator.cz/ 

>Education & training 

>Very steep learning curve for staff 

> Product and system availability "off the shelf" 
>Bespoke software / scripting, e.g. Verisign 
>Evaluated products - HSMs - FIPS-140 
> DNSSEC API ? (Web services / apps) 



> Technical, management and business environment 
> Processes and procedures / costs / ROI? 
>Allocated personnel and functions 
>0S / system environment (SELinux ?) 

>Risk assessment and management 

>Mistakes - bringing down your domains? 
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SUMMARY (2): 



• New gTLDs - DNSSEC compulsory ! icann 

• ".brisbane", ".Sydney", ".racv", ".apple", ?? 



Worldwide (TLD, ccTLD, 2TLD) 

• Verisign - Afilias - Sweden - Czech Republic 

• Limited experience ^^^™ 



VeriSigrr 



• Australia 

• In-principle movement towards DNSSEC 

• Phased plan announced by auDa (1 2 August 201 0) 

• Current extensive evaluation of implications 

Technical, administrative and economic 

• Federal gov't participation in SSaC 



SUMMARY (3): 



EDUCATION & TRAINING 



• The key 

& it's missing! 

• Traditional tertiary education ? 

• Private providers ? 

• Vendors ? (Early days!) 

• Courses and staff ? 

• Technical & management aspects 

• Test laboratories ? 

• Remember the OSI test lab? e.g. NIST/USA: 

• The U.S. GOSIP Testing Program - 1990) 



National Institute of 
Standards and Teehni 
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THE FUTURE (kidns / DANE): 



Diffie & Hellman's 

"public key register" 

? 

■ 

(secure key distribution 
for e-mail/voice-image/SCADA connections, 

TLS, certificates, etc. 
"my key is in the phone book!') 






DNS-based Authentication of Named Entities (dane) 



